Results 1 to 7 of 7

Thread: allow_url_fopen

  1. #1
    Join Date
    Jun 2006
    Posts
    58

    allow_url_fopen

    Hi - is allow_url_fopen=on still considered a security risk? I asked here and was told it's not a security risk anymore...

    http://www.notonebit.com/forum/viewtopic.php?p=999#999

  2. #2
    Look at his last comment:

    "Search google. Fopen in itself is not a security risk. Sloppy coding using fopen is."


    I guess it's sort of the "guns don't kill people / people kill people" concept. The function itself is not flawed, per-se. However, it's dangerous in the hands of unskilled users. (If you have customers on your web boxes, you'll know not everyone is skilled and/or security minded.)

    I believe fopen() is disabled by default with safe_mode on. If not, I'd disable it.

  3. #3
    Join Date
    Jun 2006
    Posts
    58
    From what I've been reading, this does not have to do with a programmer's script, but, with what a hacker can do if this "allow_url_open" is enabled on a server...

  4. #4
    Join Date
    Apr 2005
    Posts
    1,711
    Here's some tips about allow_url_fopen:

    Don't enable it unless you ABSOLUTELY need it (from experience).

    If you need it on, then make your code as follows:

    1) Don't include() $_POST,$_GET,$_REQUEST vars directly, hardcode a switch($var), that's the safest way.
    2) Make that var a CONSTANT if you can, so if something that was in the query string is malicious and tries to change the var, it will fail.
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  5. #5
    Join Date
    Apr 2005
    Posts
    1,711
    I hear in PHP6 that they will have allow_url_fopen default to On, and allow_url_include set to Off. That should fix a lot of issues with this.
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  6. #6
    From what I've been reading, this does not have to do with a programmer's script, but, with what a hacker can do if this "allow_url_open" is enabled on a server...
    Right, but the option enabled at the server-level dictates what can go into scripts.


    To summarize, if you set "allow_url_fopen = Off" it in php.ini you prevent people from FOPENing remote URLs. Opening remote URLs in PHP code is useful, but if user input is anywhere near this function, it must be sanitized sanitized sanitized. Many people who write scripts never bother, so you can disable it altogether globally.

    Note this isn't a magic bullet. There are many other dangerous functions. Google for "php disable_functions" for more info.

  7. #7
    Join Date
    Jun 2006
    Posts
    58

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •